I install Winlogbeat and its not start service, i use the default config file and nothing, i recive error 1053 from windows service. I am using windows 11.
- Have you check winlogbeat log
- Have you check Event log
- Have you run installation with admin rights?
- Have you tested
winlogbeat.exe test config? - Have you setup
output.elasticsearchparams in ?
- Have you check winlogbeat log - There is no information, the service stop before start the log of winlogbeat
- Have you check Event log - Error return is 1053
- Have you run installation with admin rights? - Yes
- Have you tested
winlogbeat.exe test config? - Yes, its OK - Have you setup
output.elasticsearchparams in ? - Yes
You need to check in event viewer for any hint of why the service don't start, you will probably have more eventes around the time you tried to start it.
You can also try to start it through a powershell console to see what is the error.
He already said no details. However, it should be something in Event System log.
As Leandro said, try winlogbeat from console. This is always the first step to make sure that everything is OK.
Have you use the zip or msi package? There might be an issue with the data directory. Check this or this and of course add logging in winlogbeat.yml
I had same experience with Filebeat 8.13.1 and Winlogbeat 8.13.1. Windows service won't start. I'm however able to start applications from command line using just "run" parameter. I resolved the issue by installing 8.12.2 versions of applications
I just ran into the same issue using the MSI installer with winlogbeat 8.13.1 on Windows 11.
The issue appears to affect version 8.13.1 and 8.13.0. I traced the issue down to the MSI incorrectly configuring the path to the executable (binPATH) of the service, which by default post-installation is:
"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\winlogbeat.exe" --path.home "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" --path.config "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" --path.data "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" --path.logs "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" -E logging.files.redirect_stderr=true
After reviewing the binPath of earlier working versions, I determined that the issue is the " \" at the end of the config paths. This version worked for me:
"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\winlogbeat.exe" --path.home "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat" --path.config "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat" --path.data "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat" --path.logs "C:\Program Files\Elastic\Beats\8.13.1\winlogbeat" -E logging.files.redirect_stderr=true
To resolve the issue, I used an elevated cmd prompt and ran the following:
sc config winlogbeat binPath="\"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\winlogbeat.exe\" --path.home \"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" --path.config \"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" --path.data \"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" --path.logs \"C:\Program Files\Elastic\Beats\8.13.1\winlogbeat\" -E logging.files.redirect_stderr=true"
The output should be [SC] ChangeServiceConfig SUCCESS if its successful.
After making the change I started the service normally, and it worked as expected.
Hope this helps, and is resolved in future versions!
2 Likes
This works for me.
FYi I think this will be fixed in the next release via Remove trailing slash and store data and logs in subfolders by strawgate · Pull Request #264 · elastic/elastic-stack-installers · GitHub